Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
Contents
◈ Key Findings
- Initial access was carried out through spear-phishing emails with ZIP-compressed malicious LNK files attached
- Themes designed to arouse curiosity were used, including airline e-tickets, invitations to North Korea research events, and impersonation of defense and police officials
- When the LNK file is executed, it calls a batch file through environment variable-based obfuscated commands to download additional payloads
- BAT files using the same environment variable-based substring expansion technique are executed in sequence, maintaining communication with the C2 server
- A Compiled Python Script malware file with the .cat extension is downloaded from the C2 server to perform follow-up activities
- A behavior-based EDR response framework should be strengthened to identify obfuscation and multi-stage download abuse behavior
1. Overview
Genians Security Center identified a threat campaign suspected of being associated with APT37 that combines an obfuscated batch file command invocation technique with Compiled Python-based malware.
This threat is distributed through email-based spear phishing in …
- Initial access was carried out through spear-phishing emails with ZIP-compressed malicious LNK files attached
- Themes designed to arouse curiosity were used, including airline e-tickets, invitations to North Korea research events, and impersonation of defense and police officials
- When the LNK file is executed, it calls a batch file through environment variable-based obfuscated commands to download additional payloads
- BAT files using the same environment variable-based substring expansion technique are executed in sequence, maintaining communication with the C2 server
- A Compiled Python Script malware file with the .cat extension is downloaded from the C2 server to perform follow-up activities
- A behavior-based EDR response framework should be strengthened to identify obfuscation and multi-stage download abuse behavior
1. Overview
Genians Security Center identified a threat campaign suspected of being associated with APT37 that combines an obfuscated batch file command invocation technique with Compiled Python-based malware.
This threat is distributed through email-based spear phishing in …
IoC
http://choisy.fr
http://kmot.co.kr
http://218.150.78.198
http://intobiz.kr/bbs/data/bbs62/blog.php
http://sjem.co.kr
http://211.169.73.104
http://oxenhan1.cafe24.com
http://sunlin.org
http://121.78.88.92
http://ezvm.kr
http://ljs5950.cafe24.com
http://intobiz.kr
http://haeundaejugong.com/editor/chinotto/do.php
http://fe01.co.kr
http://cafe24.com
http://versonnex74.fr
http://haeundaejugong.com
http://211.239.157.126
http://220.73.160.23
http://hanainternational.net
http://ycpatent.co.kr
http://kjdnc.gp114.net
http://hanainternational.net/editor/data/font.php
http://114.207.246.156
http://printory.kr
http://kumdo.org
http://ableinfo.co.kr
http://121.78.88.88
http://luminix.kr
http://121.78.88.93
http://udcontest.com
http://attiferstudio.com/install.bak/sony/10.html
http://183.111.174.69
http://sunlin.org/adm/phpMyAdmin/info/style.php
http://51.158.21.1
211.239.157.126
121.78.88.88
211.169.73.104
121.78.88.92
218.150.78.198
121.78.88.93
51.158.21.1
220.73.160.23
183.111.174.69
114.207.246.156
fcb97f87905a33af565b0a4f4e884d61
7922f91281e8b0fe00518d05bf295b4a
f7b2e0cebd7793c8cfee2c7c5b93df9c
b5f9cd67cb32f44c138c382e17b06fd6
804d12b116bb40282fbf245db885c093
33c97fc4eacd73addbae9e6cde54a77d
255155bad9af5e2c6cf550ff2a95219d
09dabe5ab566e50ab4526504345af297
16d7be5ebc3c2ff1cffbb83b965fd4fb
1aa7751332710f4e963a708243d3d550
abbb362cdfe14b56b3a13a2a55937ee4
http://kmot.co.kr
http://218.150.78.198
http://intobiz.kr/bbs/data/bbs62/blog.php
http://sjem.co.kr
http://211.169.73.104
http://oxenhan1.cafe24.com
http://sunlin.org
http://121.78.88.92
http://ezvm.kr
http://ljs5950.cafe24.com
http://intobiz.kr
http://haeundaejugong.com/editor/chinotto/do.php
http://fe01.co.kr
http://cafe24.com
http://versonnex74.fr
http://haeundaejugong.com
http://211.239.157.126
http://220.73.160.23
http://hanainternational.net
http://ycpatent.co.kr
http://kjdnc.gp114.net
http://hanainternational.net/editor/data/font.php
http://114.207.246.156
http://printory.kr
http://kumdo.org
http://ableinfo.co.kr
http://121.78.88.88
http://luminix.kr
http://121.78.88.93
http://udcontest.com
http://attiferstudio.com/install.bak/sony/10.html
http://183.111.174.69
http://sunlin.org/adm/phpMyAdmin/info/style.php
http://51.158.21.1
211.239.157.126
121.78.88.88
211.169.73.104
121.78.88.92
218.150.78.198
121.78.88.93
51.158.21.1
220.73.160.23
183.111.174.69
114.207.246.156
fcb97f87905a33af565b0a4f4e884d61
7922f91281e8b0fe00518d05bf295b4a
f7b2e0cebd7793c8cfee2c7c5b93df9c
b5f9cd67cb32f44c138c382e17b06fd6
804d12b116bb40282fbf245db885c093
33c97fc4eacd73addbae9e6cde54a77d
255155bad9af5e2c6cf550ff2a95219d
09dabe5ab566e50ab4526504345af297
16d7be5ebc3c2ff1cffbb83b965fd4fb
1aa7751332710f4e963a708243d3d550
abbb362cdfe14b56b3a13a2a55937ee4